1

Erasure coding and AONT algorithm selection for Secure Distributed Storage

Alem Abreha, Sowmya Shetty ECE-646

Department of Electrical and Computer Engineering Volgenau School of Engineering

George Mason University

Abstract

Distributed storage system is used for storing data across nodes in a network in a dispersed manner for security and resiliency. This is applicable in Storage Area Networks, Network Attached Storages, Backup Systems, communication of secure and confidential information and many other applications. However, security and efficiency are critical requirements. In this paper we researched and compared algorithms for AONT (All-Or-Nothing) and Erasure coding transformations applied for a secure distributed storage scheme.

I Introduction Data storage systems require security mechanisms to ensure confidentiality, privacy and integrity. Storing data in this distributed scheme will secure data in such a way that, data will remain secured and intact after corruption/compromise of a number of the nodes involved in the distributed storage scheme. As a result, the distributed storage scheme provides fault tolerance and resiliency, since data can be safely recovered even after the loss of nodes or data corruption under a specific tolerance level. The security of the scheme depends on AONT (All-Or-Nothing Transformation) while Erasure coding insures resiliency.

Figure 1. Secure Distributed Storage

2

II Secure Distributed Storage components a. AONT (All-Or-Nothing-Transform) AONT first introduced by Rivest, is an un-keyed transformation 𝜙 mapping a sequence of input blocks (x1, x2, x3 … xs) to a sequence of output blocks (y1, y2, y3 … ys’) having the following properties. ● Given all (y1, y2, y3 … ys’) it is easy to compute (x1, x2, x3 … xs) ● If any one of the yi is missing then it is computationally infeasible to obtain any

information about any xi. AONT is applied to the distributed storage scheme here to improve security. Secret key encryption transforms plaintext blocks (x1, x2, x3 … xs) into a sequence of cipher text blocks (z1, z2, z3 … zs’), which makes it possible to obtain a specific plaintext block by performing a single decryption operation on a single cipher text block. Such encryption scheme is called separable. Rivest proposed an encryption mode where an adversary must decrypt all cipher text blocks (z1, z2, z3 … zs’) before he can obtain any particular plaintext block xi. An encryption mode having this property is called non-separable. Using brute-force technique, conventional separable cryptosystems can be attacked to decrypt a cipher text block and compromise security. Brute force attack on a non-separable encryption mode is s’ times slower than an attack on the corresponding separable mode. This implies that by using non-separable modes we can achieve a higher security level without extending the key length. For the secure distributed storage discussed here, AONT transformation is added to make attacks infeasible or at least very difficult if a single cipher text block is missing. This will make the storage scheme remain secure, as long as all of the cipher text blocks are not available to the adversary and it will not be computationally possible to decrypt a single cipher text block. AONT Algorithms 1.Rivest’s AONT Ronald L. Rivest proposed the first AONT transformation in 1997. This algorithm proposes a strongly non-separable encryption mode as follows: Let input message be: m1, m2, m3 … ms and choose a random key K’ for the block cipher. Compute the output sequence m1’, m2’, m3’ … ms’, for s' = s + 1 as follows: mi’ = mi E(K',i) for i = 1,2,3...s and m’s’ = K’ h1 h2 . . . hs where hi = E(ko,mi’ i) for i = 1,2,3 … s ko is a fixed, publically known encryption key. And reverse process to generate the original message is given by:

3

K’ = ms’ h1 h2 . . . hs and mi = mi’ E(K’,i) for i = 1,2,3 … s

Figure 2.1 Rivest’s AONT 2.Boyko’s AONT Proposed by Victor Boyko in 1999, as AONT based on Optimal Asymmetric Encryption Padding (OAEP) with random oracle model.

Figure 2.2 Boyko’s AONT Bellare and Rogaway originally introduced OAEP for the purpose of constructing semantically secure and plaintext-aware public-key encryption schemes from arbitrary trapdoor permutations. For parameters n and k0,“generator”G : {0,1}k0 →{0,1}n, and “hash function” H : {0, 1}n → {0, 1}k0, the transform OAEP : {0, 1}n × {0, 1}k0 → {0,1}n′, for n′ = n+k0, is defined as : 𝑂𝐴𝐸𝑃(𝑥, 𝑟)  = 𝑥  ⊕  𝐺(𝑟)||𝑟  ⊕  𝐻(𝑥  ⊕  𝐺(𝑟))

4

Where || represents concatenation. ‘x’ is the message and r is a random string. In applications, ‘n’ would be the length of a message, and ko would be the security parameter, e.g., ko = 128. |s| = n and |t| = ko. Functions G and H are “random oracles”, as introduced by Bellare and Rogaway. In Boyko’s AONT, random oracles are used to model hash functions G and H. This algorithm is based on ideal random oracles; G and H need to be replaced by deterministic functions. 3.Stinson’s AONT Proposed by D.R. Stinson, this is based on a linear transformation defined as follows: Let Fq be a finite field of order q. An (s,q)-AONT with alphabet Fq is linear if each yi is an Fq linear function of x1, . . . xs. The following theorem provides an easy method of constructing linear all-or-nothing transforms. Theorem: Suppose that q is a prime power, and M is an invertible s-by-s matrix with entries from Fq, such that no entry of M is equal to 0. Then the function φ: (Fq )s → (Fq )s defined by φ(x) = xM−1 is a linear (s, q)-AONT. Proof: If y = xM−1, then x = yM. Since every entry of M is non-zero, each xj (1 ≤ j ≤ s) depends on all s of the yi ’s. More precisely, if n − 1 of the yi ’s are fixed and the remaining value, say yi0, is allowed to vary, then any xj can take on any possible value in Fq, depending on the value of yi0. Suppose q > 2 is a prime power and s is a positive integer. Then there exists a linear (s, q)-AONT. Let q = pk where p is prime and k is a positive integer. Let λ ∈ Fq be such that λ∉ {s−1mod p, s−2mod p}(this can be done since q >2). Sinceλ ≠ s−1mod p, we can define γ = (s − 1 − λ) −1. Now, define M to be the following symmetric matrix for speed optimization:

The inverse of M is given by:

5

The transform (and inverse transform) can be implemented very efficiently. Given x, we can compute y as follows: 1. For 1≤i≤s−1,compute yi =xi +xs. 2. Compute xs =x1+···+xs−1+λxs. Further, given y, we can compute x as follows: 1. Compute ys = γ(x1+···+xs−1− ys). 2. For 1≤i≤s−1, compute xi =yi − xs. b. Erasure Coding A(t,n) erasure code is a method of distributing data D among n nodes, in such a way that the data can be fully recovered using shares stored on any subset of t nodes. Knowledge of fever than t nodes is sufficient to recover at least part of data D. However, erasure codes provide efficiency.

Figure 2.3 Erasure coding 1.Standard Reed-Solomon algorithm: The most general technique for tolerating simultaneous failures with exactly checksum devices is a technique based on Reed-Solomon coding, where m, n are arbitrary. Data D is been divided into ‘t’ devices each consisting of k bytes. RS coding method breaks the data into words, each of w bits. The storage device contain 𝑙 = (𝑘  𝑏𝑦𝑡𝑒𝑠)((8  𝑏𝑖𝑡𝑠)/𝑏𝑦𝑡𝑒)  ((1  𝑤𝑜𝑟𝑑)/(𝑤  𝑏𝑖𝑡𝑠))  = 8𝑘/𝑤  𝑤𝑜𝑟𝑑𝑠

Assume each device consists of 1 word. ● The Vandermonde matrix is used to calculate and maintain checksum words

6

● Gaussian Elimination used to recover from failures ● Galois Fields used to perform arithmetic.

Encoding: Checksum of m devices each of k bytes are calculated as:  𝐶_𝑖 = 𝐹_𝑖  (𝑑_(1〖_〗),𝑑_2, . . .    𝑑_𝑡) We define F to be m x t Vandermonde matrix: 𝑓_(𝑖, 𝑗) = 𝑗^(𝑖 − 1), and the above equation becomes:

Decoding: To explain recovery from errors, we define the matrix A and vector E as follows: AD =E

If a device 𝑑_𝑗 fails, in decoding 𝑑_𝑗 is calculated as follows. 𝑑_𝑗 = 𝑑_(1  )⊕. . . .⊕ 𝑑_(𝑗 − 1)⊕ 𝑑_(𝑗 + 1)⊕. . .⊕ 𝑑_𝑡⊕ 𝑐_1 If there are any ‘t’ devices available, then the data devices are calculated using Gaussian elimination method. Once the data is reconstructed, then the checksum data is recomputed from data words and F. Hence the whole system is recomputed. 2.Cauchy Reed-Solomon Codes (CRS): Following modification are done to Reed-Solomon codes

7

1.Instead of using a Vandermonde matrix, CRS coding employs an t×n Cauchy matrix, over GF (2^w), where n + t ≤ 2w, which improves the performance of matrix inversion for decoding. 2.Eliminate the expensive multiplications of RS codes by converting them to extra XOR operations, so that encoding takes O(𝑛𝑙𝑜𝑔_2  (𝑡 + 𝑛)) XORs per coding block. Properties of Cauchy matrix: 1.Every square matrices of Cauchy matrix is invertible 2.Encoding is a linear function of message and the un-encoded message 3.Decoding is inversely proportional to un-encoded message received Let F be a field and let {𝑥_1. . . 𝑥_𝑡}, {𝑦_1…𝑦_𝑛} be two sets of elements in F such that (i) ∀  𝑖  𝜖  {1. . . , 𝑡}  ∀  𝑗  𝜖  {1. . .𝑛}:  𝑥_𝑖+ 𝑦_𝑖 ≠ 0 (ii)  ∀  𝑖, 𝑗  𝜖  {1. . . , 𝑡}, 𝑖 ≠ 𝑗:  𝑥_𝑖 ≠ 𝑥_𝑗  𝑎𝑛𝑑  ∀  𝑖, 𝑗  𝜖  {1. . .𝑛}, 𝑖 ≠ 𝑗:  𝑦_𝑖 ≠ 𝑦_𝑗

The matrix is called Cauchy matrix over F. Consider for t data devices each having ‘L’ words of size ‘w’, where ‘w’ is chosen arbitrarily L >= max (log(t), log(n-t)) The encoding for XOR can be done using O(t(n-t)L^2) XOR’s of word of size w. The decoding for XOR-code can be done using O(tkL^2) XOR’s of word size w and O(k^2) arithmetic operations in field GF[2^L], assuming (t-k) information packets and k redundant packets are given. 3.Rabin’s Information dispersal algorithm: The IDA is an algorithm introduced by Michael O. Rabin in his paper “Efficient dispersal of information for security, load balancing, and fault tolerance”. The algorithm provides a way to break a file into n pieces such that only t pieces are required to reconstruct the file (1 ≤ t ≤ n). Along with Shamir’s secret key sharing scheme, any t-1 pieces give no information about the data. Dispersal (F, t, n): -Splitting the data of F into n pieces. Fi(1<=i<=n) F = b1, b2.... bn --|F| = n and bi represents each byte in F(0<=bi<=255) --Computations are done in GF(2^8)

● t is threshold F = (𝑏_1. . . 𝑏_𝑡), (𝑏_(𝑡 + 1). . . 𝑏_2𝑡). . . (𝑏_(𝑁 − 𝑡). . . 𝑏_𝑁) 𝑆_𝑖 = (𝑏_((𝑖 − 1)𝑡 + 1), . . . , 𝑏_𝑖𝑡)〖^𝑇〗  (1 ≤ 𝑖 ≤ 𝑁/𝑡  )

● The matrix M(t x N/t) is constructed as follows

8

M = [𝑆_(1  )  𝑆_(2  ). . . 𝑆_(𝑁/𝑡)] ● The matrix A(nxt) is constructed as follows:

A is equal to

𝑎_1

𝑎_2

...

𝑎_𝑛

𝑎_𝑖 = (𝑎_(𝑖  1), . . . . ,𝑎_(𝑖  𝑡))(1 ≤ 𝑖 ≤ 𝑛) Chosen such that every subset of m different vectors is linearly independent. Following Vandermonde matrix satisfies the above property A

Always t<=n and all xi’s are nonzero elements in GF(2^8) and pairwise different. Any t different rows are linearly independent, so any matrix composed of a set of any t different rows is invertible.

● F = A. M

                           𝑎_𝑖. 𝑆_𝑘 =   (𝑎_𝑖1  𝑏_((𝑘 − 1)  𝑡 + 1)+. .+𝑎_(𝑖  𝑡)  𝑏_(𝑘  𝑡))

9

III Comparison of Algorithms a. AONT algorithms comparison

1 Rivest’s AONT Rivest AONT is implemented and performance is benchmarked by Jason and Plank [8]. To assess actual performance, open-source C libraries were used to perform the various functionalities. All tests were performed on a 4-core Intel Xeon W3530 at 2.80 GHz with 6GB of memory at 1066 MHz running Linux kernel 2.6.32. Despite having multiple cores, all benchmarks were performed using a single thread. The encoding time for AONT is dependent on the choice of cipher and hash function. To encode S bytes using AONT, both the cipher and hash function must process S bytes. Therefore the time equals the sum of the time to encrypt S bytes plus the time to hash S bytes. The test includes performance of two pairs of cipher/hash algorithms, one tailored for high security (AES-256 and SHA-256) and the other tailored for performance (RC4-128 and MD5). This test was implemented using OpenSSL 0.9.8k with a block size of 8 KB.

Encoding Rate (MB/s)

AES-256 143.30

RC4-128 414.17

SHA256 160.03

MD5 559.47

Table 3.1 Table shows encoding rates for encryption and hashing functions. Using the above algorithms, two functions are derived for AONT(S), one which is secure, AONTsecure (AES-256 and SHA-256), and one that is fast, AONTfast (RC4-128 and MD5). Encoding times for these two combinations are given by:

AONTsecure (S) = 𝑆/(75.60𝑀𝐵/𝑠) AONTfast (S) = 𝑆/(237.99𝑀𝐵/𝑠)

Encryption is done twice in Stinson’s AONT which slows down the whole operation of the encoding operation for the distributed secure storage scheme.

10

2 Boyko’s AONT In order to implement Boyko’s AONT based on the OAEP model, the random oracle functions G and H need to be replaced by hash functions with variable outputs. This is a requirement because, the sizes of the input and output must remain the same, i.e. |s| = n and |t| = ko for the AONT scheme to remain valid. Hash functions are deterministic, meaning that the output is completely determined by the input. Hash functions take octet strings of variable length, and generate fixed length octet strings. The hash functions should be collision resistant. This means that it is infeasible to find two distinct inputs to the hash function that produce the same output. A collision resistant hash function also has the desirable property of being one-way; this means that given an output, it is infeasible to find an input whose hash is the specified output. In addition to the requirements, the hash function should yield a mask generation function with pseudorandom output. The size of the OAEP output can be determined by the output size of the mask generation function. A mask generation function takes an octet string of variable length and a desired output length as input, and outputs an octet string of the desired length. There may be restrictions on the length of the input and output octet strings, but such bounds are generally very large. Mask generation functions are deterministic; the octet string output is completely determined by the input octet string. The output of a mask generation function should be pseudorandom, that is, if the seed to the function is unknown, it should be infeasible to distinguish the output from a truly random string. The plaintext-awareness of OAEP relies on the random nature of the output of the mask generation function, which in turn relies on the random nature of the underlying hash. MGF1 is a mask generation function based on a hash function and can be used to implement variable length output hash functions. MGF1 is explained here for the implementation of Boyko’s AONT based on OAEP.

11

Figure 3.1 MGF1 implementation Pseudo code MGF1 has quiet a few libraries which can be used for implementation: Java library: http://javadoc.iaik.tugraz.at/iaik_jce/3.13/iaik/pkcs/pkcs1/MGF1.html Botan has a C++ library: http://fossies.org/dox/Botan-1.10.3/mgf1_8cpp_source.html OpenSSL has a C implementation: http://www.openssl.org/source/ Since Boyko’s AONT is proposed here to be implemented using MGF1 with hash functions, we can easily expect the fastest AONT implementation.

Feature Rivest’s AONT

Boyko’s AONT

Stinson’s AONT

Ease of Implementati

on

Easy Medium Hard

Speed Low - High *High N/A

AONT Security

Yes Yes N/A

*High = the fastest of all Algorithms Table 3.2 AONT Algorithm comparisons

12

c. Erasure coding algorithm comparison Reed Solomon Code: Pros: RS-raid coding is the only general solution for all values of t and n. Cons: Multiplication and division are complex and use Galois field, slows down the operation. Cauchy Reed Solomon Code: Pros: Compared to RS, code performance has been improved. Cons: Slow compared to other erasure codes, since the encoding is not constant number of XOR’s per coding block instead it is O(nlog(base 2)(t+n)) XOR’s per coding block. Rabin’s IDA: Pros: offer sufficient security against reconstructing consecutive portions of data (cipher text) based on the information stored on t-1 or fewer compromised servers. Cons: Shares are typically a complex function of a larger subset of data, which in turn affects efficiency.

Feature RS CRS Rabin’s IDA

Speed Low High Medium

Capacity to reconstruct partial

information

More More Less

Size of each share D/t 8k/w

(Words)

>=Max (log(t), log(n-t))

Equal Size

Table 3.3 Comparison of erasure code algorithms Of the many available online libraries, Zfec implemented the fastest classic Reed-Solomon coding, and Jerasure implemented the fastest versions of the others. Pseudo code Reed-Solomon: a. Zfec: Parameters passed: t, n t threshold, n- total number of blocks of data

13

1<=n<=256, 1<=t<=n 1.Input data split into t buffers and all of them of same length 2.Construct a C array of gf*'s of the input data 3.The encoding matrix is computed starting with a Vandermonde matrix, and then transforming it into a systematic matrix. 4.systematic matrix: Perform linear operation to construct identity matrix at the top: * Invert the top t x t Vandermonde matrix; multiply right the bottom n-t rows by the inverse. 5.Usage of tables for logarithm, exponent, inverse of a number and multiplication as well, speeds up the computation. b.reed sol 02.c:(Jerasure) Parameters: t, m and w: It creates and prints three matrices in GF(2w): 1. A (t + m) × t extended Vandermonde matrix. 2. The (t + m) × t distribution matrix created by converting the extended Vandermonde matrix into one where the first t rows are an identity matrix. Then row t is converted so that it is all ones, and the first column is also converted so that it is all ones. 3. The m × t coding matrix, which is last m rows of the above matrix. This is the matrix, which is passed to the encoding/decoding procedures of jerasure.c. Note that since the first row of this matrix is all ones, you may set int row k ones of the decoding procedures to one. Note also that w may have any value from 1 to 32. Cauchy-reed Solomon: Jerasure (original matrix) • Construct the usual Cauchy matrix M such that M[i, j] =1/i⨁ (m+j), where division is over GF(2w), ⨁ is XOR and the addition is regular integer addition. Jerasure (Good matrices) Improves coding matrix by following operations • For each column j, divide each element (in GF(2^w)) by M[0, j]. This has the effect of turning each element in row 0 to one. • Next, for each row i > 0 of the matrix, do the following: – Count the number of ones in the bit representation of the row. – Count the number of ones in the bit representation of the row divided by element M[i, j] for each j. – Whichever value of j gives the minimal number of ones, if it improves the number of ones in the original row, divide row i by M[i, j].

14

IV Conclusion AONT: ○ Rivest's AONT uses standard encryption and hash functions which makes it the easiest

candidate to implement and gives the options to tune on speed or security. ○ Very fast encoding speed can be achieved by implementing Boyko's AONT based on

MGF1 for variable output hash function. ○ Stinson's AONT currently doesn't have any implementation or available libraries that can

be used to implement it. Stinson’s AONT implementation can be an area of future research

Erasure code: ○ Cauchy Reed-Solomon coding outperforms classic Reed-Solomon coding significantly,

as long as attention is paid to generating good encoding matrices. ○ Parameter selection can have a huge impact on how well an implementation performs.

Not only must the number of computational operations be considered, but also how the code interacts with the memory hierarchy, especially the caches.

References

[1] I. S. Reed and G. Solomon, 1960. Polynomial codes over certain finite fields. J. Soc. Indust. Appl. Math. 8, 10, 300—304 [2] Jerasure: A Library in C/C++ Facilitating Erasure Coding for Storage Applications, available at http://web.eecs.utk.edu/~plank/plank/papers/CS-08-627.html [3] C. Schuman, J.S. Plank, “A Performance Comparison of Open-Source Erasure Coding Libraries for Storage Applications,” Technical Report UT-CS-08-625, Department of Electrical Engineering and Computer Science University of Tennessee, 2008. [4] D. R. Stinson, “22, 133–138”, in Designs, Codes and Cryptography, Boston: Kluwer Academic Publishers, 2001. [5] Valer Canda and Tran Van Trung, “A New Mode of Using All-Or-Nothing Transforms”, Institute for Experimental Mathematics, University of Essen, October 23, 2001. [6] Ronald L. Rivest, “All-or-Nothing Encryption and the Package Transform”, MIT Laboratory for Computer Science, 1997 [7] Victor Boyko, ”On the Security Properties of OAEP as an All-or-Nothing Transform”, 1999 [8] Jason K. Resch and James S. Plank, “AONT-RS: Blending Security and Performance in Dispersed Storage Systems 9th USENIX Conference on File and Storage Technologies” , San Jose, CA, February, 2011. [9] Jonsson & Kaliski, RFC 3447, Available at http://www.ietf.org/rfc/rfc3447.txt, February 2003 [10] Kaliski & Staddon, RFC 2437, Available at http://www.ietf.org/rfc/rfc2437.txt, October 1998 [11] A Performance Evaluation and Examination of Open-Source Erasure Coding Libraries For Storage, available at http://static.usenix.org/events/fast09/tech/full_papers/plank/plank.pdf [12] Zfec 1.4.24, available at http://pypi.python.org/pypi/zfec